From b9c5a182e59d312459a9dd1365e59b352d9499bd Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Wed, 3 Apr 2024 08:04:43 -0400 Subject: [PATCH] [libc++] Upstream ptrauth support in libc++ and libc++abi (#84573) This is an exact upstreaming of the downstream diff. Minor simplifications can be made in the future but upstreaming as-is will make it easier for us to deal with downstream merge conflicts. Partially fixes #83805 --- libcxx/include/typeinfo | 15 ++- libcxx/src/include/overridable_function.h | 131 ++++++++++++++++++++++ libcxxabi/src/private_typeinfo.cpp | 19 ++++ 3 files changed, 163 insertions(+), 2 deletions(-) create mode 100644 libcxx/src/include/overridable_function.h diff --git a/libcxx/include/typeinfo b/libcxx/include/typeinfo index 59bc291454c3d9..2b6f2e3eba11a0 100644 --- a/libcxx/include/typeinfo +++ b/libcxx/include/typeinfo @@ -299,8 +299,19 @@ struct __type_info_implementations { __impl; }; -class _LIBCPP_EXPORTED_FROM_ABI type_info -{ +# if defined(__arm64__) && __has_cpp_attribute(clang::ptrauth_vtable_pointer) +# if __has_feature(ptrauth_type_info_discriminated_vtable_pointer) +# define _LIBCPP_TYPE_INFO_VTABLE_POINTER_AUTH \ + [[clang::ptrauth_vtable_pointer(process_independent, address_discrimination, type_discrimination)]] +# else +# define _LIBCPP_TYPE_INFO_VTABLE_POINTER_AUTH \ + [[clang::ptrauth_vtable_pointer(process_independent, no_address_discrimination, no_extra_discrimination)]] +# endif +# else +# define _LIBCPP_TYPE_INFO_VTABLE_POINTER_AUTH +# endif + +class _LIBCPP_EXPORTED_FROM_ABI _LIBCPP_TYPE_INFO_VTABLE_POINTER_AUTH type_info { type_info& operator=(const type_info&); type_info(const type_info&); diff --git a/libcxx/src/include/overridable_function.h b/libcxx/src/include/overridable_function.h new file mode 100644 index 00000000000000..fca66ea6daf7a8 --- /dev/null +++ b/libcxx/src/include/overridable_function.h @@ -0,0 +1,131 @@ +// -*- C++ -*- +//===----------------------------------------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#ifndef _LIBCPP_SRC_INCLUDE_OVERRIDABLE_FUNCTION_H +#define _LIBCPP_SRC_INCLUDE_OVERRIDABLE_FUNCTION_H + +#include <__config> +#include + +#if defined(__arm64e__) && __has_feature(ptrauth_calls) +# include +#endif + +#if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER) +# pragma GCC system_header +#endif + +// +// This file provides the std::__is_function_overridden utility, which allows checking +// whether an overridable function (typically a weak symbol) like `operator new` +// has been overridden by a user or not. +// +// This is a low-level utility which does not work on all platforms, since it needs +// to make assumptions about the object file format in use. Furthermore, it requires +// the "base definition" of the function (the one we want to check whether it has been +// overridden) to be annotated with the _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE macro. +// +// This currently works with Mach-O files (used on Darwin) and with ELF files (used on Linux +// and others). On platforms where we know how to implement this detection, the macro +// _LIBCPP_CAN_DETECT_OVERRIDDEN_FUNCTION is defined to 1, and it is defined to 0 on +// other platforms. The _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE macro is defined to +// nothing on unsupported platforms so that it can be used to decorate functions regardless +// of whether detection is actually supported. +// +// How does this work? +// ------------------- +// +// Let's say we want to check whether a weak function `f` has been overridden by the user. +// The general mechanism works by placing `f`'s definition (in the libc++ built library) +// inside a special section, which we do using the `__section__` attribute via the +// _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE macro. +// +// Then, when comes the time to check whether the function has been overridden, we take +// the address of the function and we check whether it falls inside the special function +// we created. This can be done by finding pointers to the start and the end of the section +// (which is done differently for ELF and Mach-O), and then checking whether `f` falls +// within those bounds. If it falls within those bounds, then `f` is still inside the +// special section and so it is the version we defined in the libc++ built library, i.e. +// it was not overridden. Otherwise, it was overridden by the user because it falls +// outside of the section. +// +// Important note +// -------------- +// +// This mechanism should never be used outside of the libc++ built library. In particular, +// attempting to use this within the libc++ headers will not work at all because we don't +// want to be defining special sections inside user's executables which use our headers. +// This is provided inside libc++'s include tree solely to make it easier to share with +// libc++abi, which needs the same mechanism. +// + +#if defined(_LIBCPP_OBJECT_FORMAT_MACHO) + +# define _LIBCPP_CAN_DETECT_OVERRIDDEN_FUNCTION 1 +# define _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE \ + __attribute__((__section__("__TEXT,__lcxx_override,regular,pure_instructions"))) + +_LIBCPP_BEGIN_NAMESPACE_STD +template +_LIBCPP_HIDE_FROM_ABI bool __is_function_overridden(_Ret (*__fptr)(_Args...)) noexcept { + // Declare two dummy bytes and give them these special `__asm` values. These values are + // defined by the linker, which means that referring to `&__lcxx_override_start` will + // effectively refer to the address where the section starts (and same for the end). + extern char __lcxx_override_start __asm("section$start$__TEXT$__lcxx_override"); + extern char __lcxx_override_end __asm("section$end$__TEXT$__lcxx_override"); + + // Now get a uintptr_t out of these locations, and out of the function pointer. + uintptr_t __start = reinterpret_cast(&__lcxx_override_start); + uintptr_t __end = reinterpret_cast(&__lcxx_override_end); + uintptr_t __ptr = reinterpret_cast(__fptr); + +#if defined(__arm64e__) && __has_feature(ptrauth_calls) + // We must pass a void* to ptrauth_strip since it only accepts a pointer type. Also, in particular, + // we must NOT pass a function pointer, otherwise we will strip the function pointer, and then attempt + // to authenticate and re-sign it when casting it to a uintptr_t again, which will fail because we just + // stripped the function pointer. See rdar://122927845. + __ptr = reinterpret_cast(ptrauth_strip(reinterpret_cast(__ptr), ptrauth_key_function_pointer)); +#endif + + // Finally, the function was overridden if it falls outside of the section's bounds. + return __ptr < __start || __ptr > __end; +} +_LIBCPP_END_NAMESPACE_STD + +#elif defined(_LIBCPP_OBJECT_FORMAT_ELF) + +# define _LIBCPP_CAN_DETECT_OVERRIDDEN_FUNCTION 1 +# define _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE __attribute__((__section__("__lcxx_override"))) + +// This is very similar to what we do for Mach-O above. The ELF linker will implicitly define +// variables with those names corresponding to the start and the end of the section. +// +// See https://stackoverflow.com/questions/16552710/how-do-you-get-the-start-and-end-addresses-of-a-custom-elf-section +extern char __start___lcxx_override; +extern char __stop___lcxx_override; + +_LIBCPP_BEGIN_NAMESPACE_STD +template +_LIBCPP_HIDE_FROM_ABI bool __is_function_overridden(_Ret (*__fptr)(_Args...)) noexcept { + uintptr_t __start = reinterpret_cast(&__start___lcxx_override); + uintptr_t __end = reinterpret_cast(&__stop___lcxx_override); + uintptr_t __ptr = reinterpret_cast(__fptr); + + return __ptr < __start || __ptr > __end; +} +_LIBCPP_END_NAMESPACE_STD + +#else + +# define _LIBCPP_CAN_DETECT_OVERRIDDEN_FUNCTION 0 +# define _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE /* nothing */ + +#endif + +#endif // _LIBCPP_SRC_INCLUDE_OVERRIDABLE_FUNCTION_H diff --git a/libcxxabi/src/private_typeinfo.cpp b/libcxxabi/src/private_typeinfo.cpp index 857ae25b7028df..1fb7c2ffd7ec87 100644 --- a/libcxxabi/src/private_typeinfo.cpp +++ b/libcxxabi/src/private_typeinfo.cpp @@ -51,6 +51,21 @@ #include #endif +#if __has_feature(ptrauth_calls) +#include +#endif + + +template +static inline +T * +get_vtable(T *vtable) { +#if __has_feature(ptrauth_calls) + vtable = ptrauth_strip(vtable, ptrauth_key_cxx_vtable_pointer); +#endif + return vtable; +} + static inline bool is_equal(const std::type_info* x, const std::type_info* y, bool use_strcmp) @@ -103,6 +118,7 @@ void dyn_cast_get_derived_info(derived_object_info* info, const void* static_ptr info->dynamic_type = *(reinterpret_cast(ptr_to_ti_proxy)); #else void **vtable = *static_cast(static_ptr); + vtable = get_vtable(vtable); info->offset_to_derived = reinterpret_cast(vtable[-2]); info->dynamic_ptr = static_cast(static_ptr) + info->offset_to_derived; info->dynamic_type = static_cast(vtable[-1]); @@ -561,6 +577,7 @@ __base_class_type_info::has_unambiguous_public_base(__dynamic_cast_info* info, offset_to_base = __offset_flags >> __offset_shift; if (is_virtual) { const char* vtable = *static_cast(adjustedPtr); + vtable = get_vtable(vtable); offset_to_base = update_offset_to_base(vtable, offset_to_base); } } else if (!is_virtual) { @@ -1501,6 +1518,7 @@ __base_class_type_info::search_above_dst(__dynamic_cast_info* info, if (__offset_flags & __virtual_mask) { const char* vtable = *static_cast(current_ptr); + vtable = get_vtable(vtable); offset_to_base = update_offset_to_base(vtable, offset_to_base); } __base_type->search_above_dst(info, dst_ptr, @@ -1521,6 +1539,7 @@ __base_class_type_info::search_below_dst(__dynamic_cast_info* info, if (__offset_flags & __virtual_mask) { const char* vtable = *static_cast(current_ptr); + vtable = get_vtable(vtable); offset_to_base = update_offset_to_base(vtable, offset_to_base); } __base_type->search_below_dst(info,